At the moment our students are going through a plain ISA 2000 proxy server. It works well enough, we have no technical problems and internet access is as fast as our connection allows. ISA allows you to decide who has access and who doesn't, you can easily filter MIME types, schedule hours, bandwidth priorities and keeps meaningful and detailed logs. However one feature that ISA lacks is any kind of meaningful filtering. Unfortunately third party ISA filters like Surfcontrol cost a fortune so those aren't really viable options.
We absolutely must have transparent authentication for students. I don't want them to have to enter their user name and password each and every time they use the internet as as soon as one of them gets a ban, they'll use someone else's password instead.
I've been looking into the various prebuild Squid packages like IPCop, Endian and Smoothwall. However I've hit a snag. Adding NTLM and LDAP authentication to IPCop and Smoothwall is very easy, just install the Advproxy add on and it works. I've chosen Dansguardian for filtering on the basis of recommendations here and because our ISP uses it to great effect. For Advproxy's authentication methods to work the "Transparent" proxy mode needs to be turned off. From what I understand, for Dansguardian to work properly, "Transparent" mode needs to be turned on.
I mentioned Endian up there. Endian appears to be a version of IP Cop with Dansguardian and Advproxy bundled in. However they use an old version of Advproxy which has broken NTLM and LDAP authentication so it is useless for my needs.
So, bar using two servers (One for filtering, one for authentication), how do I do this? :P
According to the endian documentation integrated authentication works.
http://www.endian.it/fileadmin/docum...tepbystep.ldap
Ben
I can promise you, it doesn't.
You can't have a 'transparent' proxy and have authentication. The two things are multually exclusive.
You can have NTLM auth though, which is transparent to your users (and I suspect what you really meant) and use filtering. It's exactly how I have things setup here.
I'm just reporting what it says in the software. May I refer you to this screenshot. See the
According to the documentation I can find on the DG mod for Smoothwall, that "Transparent on Green" box has to be checked for it to work. (see here. However check that "Transparent on green" box and try turning on the NTLM or LDAP auth and it says "Transparent mode must be disabled for authentication". Taken from the advproxy manual here:
So, to recap, yes I do want transparent authentication for my users (IE they don't get presented with an authentication box when they access the net). I stated as much in the original post. However it seems I can't have this Transparent on Green mode turned on if I want DG to work properly on the same box.4.1.2 Transparent on <Interface>
If the transparent mode is enabled, all requests for the destination port 80 will be forwarded to the Proxy
Server without the need of any special configuration changes to your clients.
Note: Transparent mode works only for destination port 80. All other requests (e.g. port 443 for SSL) will
bypass the Proxy Server.
Note: When using any type of authentication, the Proxy may not run in transparent mode.
Note: To enforce the usage of the Proxy Server in non-transparent mode, you will have to block all outgoing
ports usually used for http traffic (80, 443, 8000, 8080, etc.).
Ok. Don't run it in 'transparent' mode. ie, when it's listening on port 80. Run it on it's normal port (3128? 8080?) and set the proxy in the GPOs. Dansguardian should be quite happy with that. It's how I have it setup here.
What Geoff is saying is that you are getting transparent authentication mixed up with a transparent proxy.
The authentication is transparent by default with advanced proxy. The transparent option refers to all web requests that hit the gateway being rerouted to the proxies normal port rather than the proxy port being specificially set it the browser.
All the schools in our lea connect to an isa 2000 server running surfcontrol for web filtering.
To enable transparent authentication (mainly in primaries) we install a pyhton NTLM script on a server and point all the desktops at the server ip.
Works well and if you use ntwrapper you can install the script as a service and jst forget about it.
python? what's it like performance wise?
I suppose as it deals authentication it's only called once or twice in a session.
Works fine m8 - no performance issues here
http://www.python.org/ for program
http://www.geocities.com/rozmanov/ntlm/ - ntlm script
Briefly
Install python 2.4
Unzip the ntlm into the python directory (overwrite files)
edit the server.cfg file; use the pyhton app IDLE to edit.
once edited run the main.py file - ntlm script is now running
to set as service download and install ntwrapper (allows 1 app to be installed as a service for free)
edit the runserver.bat file in the python dir to point to main.py
install the runserver.abt file as a service - job done
Thanks. I will look at the links.
Any reason to NT Wrapper over SrvyAny?
just that i could not get srvany to work with this script.
Whatever works
I got good news, and I got bad news.
Bad news 1st. Theoretically, it is impossible to auth against a transparent proxy.
This is because the browser does not know there is a proxy there so if suddently someone asked it to authenticate, it would confuse the poor thing.
Remember that transparent proxying is just a firewall trick.
Good news 1: you can "emulate" t/prox t/auth using out-of-band auth like ident.
Good news 2: There is another way too do it, but only BlueCoat (to my knowledge) support this and their implementation is flaky and expensive.
What I can recommend, however, is that SmoothWall will be bringing out a product which supports this type of Authentication in the next 8 months. I doubt version 5 of SchoolGuardian will support it though, as that comes out in Januaray, and there are few developer-months remaining.
@tom_newton: You say the authentication problem stems from the browser not expecting the auth request upon requestion a web page. In transparent mode, is the only difference that the proxy is accepting connections on port 80? If that's true, in theory it should be possible to change the proxy port on the client to port 80 in the usual way, GPO, script etc.? Or is there something actually more complicated behind the scenes that's going on?
Yeah, that would be a solution of sorts - however, that's the same thing as having a non-transparent proxy - either you have to set all your clients to know there's a proxy, or you have to do some out-of-band auth.Originally Posted by webman
SmoothWall are working on OOB auth that requires nothing more than a web browser.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote